| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for July 4, 2002The OpenSSH vulnerability and the disclosure process By now, presumably, most of you are running on systems with an updated OpenSSH installed. It has been over a week since the "challenge/response" vulnerability was disclosed; there remains, however, a great deal of controversy over how that disclosure happened. According to one point of view, the OpenSSH team withheld specific information on the vulnerability in order to create fear, bring about massive upgrading, and draw attention away from what is, in the end, an OpenBSD-specific vulnerability. Such a view goes over well in the Linux community, where many users upgraded in a hurry only to find out that they never had been vulnerable in the first place. The real story is more complicated, however; it is worth understanding what was going on and how it reflects on how our security processes work.The disclosure of a vulnerability is the opening bell of a high-stakes race between crackers, vendors, and system administrators. Crackers will put amazing amounts of time and energy into the rapid creation of exploit tools, which are then distributed to script kiddies and other "black hat" types worldwide. Before those tools are widespread, vendors have to create an updated package, put out an alert, and get system administrators to actually apply those packages. System administrators who lose the race - either because updates were not available, or because they did not apply those updates - run a serious risk of having their systems compromised. The time window between the disclosure of the vulnerability and the posting of exploit tools can be less than one day. This grace period before the exploits appear is at the core of why the OpenSSH team acted the way it did. Through careful information and release management, the OpenSSH developers hoped to maximize the amount of time that system administrators had to secure their systems. They wanted OpenSSH users to be able to begin running the race while keeping the crackers sidelined for a little longer. The first step, thus, was to put out a vague notice that there was a problem, along with an OpenSSH release which contained the problem without actually fixing it. If the OpenSSH team had released a patch which fixed the real problem, it would undoubtedly have been easier for vendors to tell their users if they were vulnerable. It also would have enabled users to secure their systems - if, indeed, they were vulnerable - by simply disabling the challenge/response feature. But it also have given the crackers the information they needed to develop an exploit. Releasing a warning and enabling privilege separation were actions intended to deny the crackers access to that information. As OpenSSH maintainer Theo de Raadt tells us:
The warning permitted the community to move to privsep, filter
their networks, or disable ssh for a window of time until a new
one arrived.
In fact, according to the fourth version of the OpenSSH advisory, even telling users about other workarounds would have released too much information:
We could not alert the community that disabling
ChallengeResponseAuthentication solved the problem, since this
would highlight that the bug is in about 500 out of 27,000 lines of
code.
For most security vulnerabilities, the accepted procedure is to notify vendor security contacts before the community as a whole so that they can prepare an updated package for their users. There are special, "security contacts only" mailing lists which exist for just this sort of notification. In this case, that procedure was not followed; vendors were told no more than anybody else about the nature of the vulnerability. This was a cause for some disgruntlement in the vendor community, which did not like having its response managed in this way. According to Mark Cox, who handles security at Red Hat:
At Red Hat we try to backport security fixes if that means they
will have a lower impact on our users and therefore be easier to
install. We try to avoid switching users to new upstream versions
of software where there have been significant non-security fixes
also added. In this particular case we were asked by the OpenSSH
team to switch our userbase onto a brand new release of OpenSSH
that had a significant functionality change, and one that was not
completely working in all cases.
In fact, when the final Red Hat advisory came out, it noted that most users were not vulnerable and provided a patched version of OpenSSH 3.1. Until the disclosure, however, Red Hat (and other distributors) had no option other than preparing a full OpenSSH 3.3 package, fixing the problems, and pushing it onto the users. Keeping the vulnerability information secret most certainly made life harder for distributors. Now that the information is out and the hole closed, distributors like Red Hat can prepare OpenSSH 3.4 packages with full testing prior to release. The OpenSSH team did not disclose the vulnerability to vendors for a simple reason: they did not trust those vendors to keep the information secret. Quoting Theo de Raadt again:
It has been shown that these mailing lists do not work, and that
they leak information into blackhat or public forums very
quickly...
I've seen leaks happen. Last week, the resolver issue was released extremely quickly (too quickly I think) because leaks started moving through the FreeBSD and NetBSD communities within hours of their security contacts being informed. It does not help, of course, that there are some 80 vendors which ship OpenSSH in some product or other. This remains a disturbing claim, however: the free software security contact mechanism, it is said, is not secure. Then again, perhaps the old Ben Franklin quote applies: three may keep a secret if two of them are dead. It is almost certainly unrealistic to expect 80 vendors to keep something under wraps for very long. So how can our community function in the claimed absence of a working security infrastructure? Should all vulnerabilities be handled the way this one was? The OpenSSH team claims that this bug was special, for a couple of reasons. One is that OpenSSH is now nearly ubiquitous - there are far more ssh servers exposed to the net than web servers, for example. Thus the vulnerability had to be handled with extra care. The other reason, of course, was that there was a way to protect users against exploits without (immediately) disclosing the nature of the problem. From the OpenSSH advisory:
We feel that this method of releasing served the community best for
a "contained" vulnerability of this kind. We do not suggest this
is necessarily the correct information release process for all
problems, and as firm believers of full disclosure have never
suggested that, though we believe that disclosure must be carefully
handled.
The real answer, according to Theo, is "fast vendors." In the end, for most users, it is still a matter of how quickly their distributor makes an update available. In this case, the first OpenSSH exploit turned up on Bugtraq 22 hours after the disclosure went out. Opinions certainly differ on the best way to give users a head start, but security in the modern world is still a race. (As a postscript, the OpenSSH team is recommending that all users upgrade to 3.4, even if they are not vulnerable to this particular problem. It has "lots of other fixes people need.")
The 2002 Ottawa Linux Symposium Your editor, tired after a couple of days of Kernel Summit coverage, decided not to produce talk-by-talk coverage from the Ottawa Linux Symposium. Information from some of the talks will show up in LWN over the next week or two; for people wanting the full details the conference proceedings are available online (as a 3MB PDF file).OLS is increasingly a kernel-oriented event. There were only two GNOME-oriented talks on the schedule this year, and very few others that discussed user-space topics. Kernel topics have always been a big part of OLS, but the kernel is well on the way toward becoming the only topic. Attaching the Kernel Summit to the conference (which might happen again next year) further encourages that trend. That, of course, is entirely acceptable to those of us interested in the kernel. OLS could become the premier worldwide kernel-oriented conference. Interestingly, the tutorials had a very different orientation, with topics like DocBook and authenticating Windows 2000 users. Stephen Tweedie talked, in his keynote, of the importance of providing opportunities for hackers to meet face to face. Interactions just go better when you've had a chance to "share a pint" with your collaborators and when you are able to associate a face with the email address. Thus, as a community, we need events like OLS. So it is encouraging to see that OLS attendance was back up this year. One final note to the joker who thought your editor should win a copy of Running Weblogs With Slash: that's not funny...
The importance of saying "thanks" Jon 'maddog' Hall gave a talk at the OLS reception on the first day of the conference. Those who have heard other maddog talks would certainly recognize the collection of "amusing stories from maddog's travels" theme of this one. Mr. Hall did, however, make a new and worthwhile point this time around.Users of free software (and we all are, in one way or another) often have many things to say to the developers of that software. They send in feature requests and bug reports. They ask where the next release is. They want help making things work. They complain about vulnerability disclosure policies. They post snide comments about the quality of the code or the documentation. It is relatively uncommon for free software users to simply say "thanks." Every line of free code is a gift from the developer (or from whoever paid for the developer's effort). Nobody is entitled to free software; it's a windfall, a present from those who created it. All told, it is a gift worth, by most accounts, billions of dollars. A little gratitude goes a long way. The next time you deal with a developer of a package that you use, consider throwing in a brief "thank you." The developers have earned it.
Page editor: Jonathan Corbet Security Security news OWASP Guide to Building Secure Web Applications Congratulations to the Open Web Application Security Project on this, its first release. OWASP's “Guide to Building Secure Web Applications" is now available in HTML or PDF format.
The Guide covers various web application security
topics from architecture to preventing attack
specifics like cross site scripting, cookie
poisoning and SQL injection. Its 80 pages of pure
web application security and no vendor marketing in
sight! The document is released under the GNU
documentation license and was a community volunteer
effort. Big kudos to all those involved.
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com.
TCPA / Palladium Frequently Asked Questions Ross Anderson has released version 0.1 of of TCPA / Palladium Frequently Asked Questions. Ross Anderson is the leader of the Computer Security Group at the University of Cambridge Computer Laboratory. His recent paper (available in PDF format) on security in open vs closed systems was the subject of articles in the New York Times and News.com as well as last week's Security page.
BIND 4.9.8-OW2 and 4.9.9-OW1 released The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Details on the vulnerability are available in the CERT Advisory.
TurboLinux updates Turbolinux, it seems, quietly put out a big pile of updated RPMs on the Turbolinux Security Center in the first half of June. No advisories, just RPMs. Although they do not address the current apache or ssh problems, this is still a welcome sign that TurboLinux may be taking security more seriously. We expressed concern with the lack of security updates from TurboLinux back in January.
Security reports Apache worm on the loose It is way past time to upgrade your Apache servers. A worm which takes advantage of the "chunk handling" vulnerability has been sighted, and its source has been publicly posted. For a list of distributor alerts, see the vulnerability report.The June 2002 Netcraft Web Server Survey estimated that as of July 1st there were still "around 14 Million potentially vulnerable Apache sites." ZDNet covered the worm with articles on its history and speculation on the potential for a new wave of network attacks. Robert Lemos chronicled the mildness of the worm's impact so far for CNET News.com in articles published June 28th and July 1st. Capture of the worm in a honeypot system was reported on June 28th.
XSS not in stable Slashcode Despite a report to the contrary this week, Jamie McCarthy assures us that the cross site scripting vulnerability which took down slashdot.org is not in the 2.2.5 release, or any other stable release. "The bug was introduced in CVS on June 17 and was fixed on July 1."
Cross site scripting vulnerability in Betsie Betsie version 1.5.11, and all versions before, have a cross site scripting vulnerability which is fixed in version 1.5.12.
Betsie stands for BBC Education Text to Speech Internet Enhancer, and is a simple Perl script which is intended to alleviate some of the problems experienced by people using text to speech systems for web browsing.
Acrobat reader 5.05 temporary files Paul Szabo reports a symlink attack vulnerability in Acrobat Reader 5.05. Acroread uses a file it creates with wide open permissions (mode 666) in /tmp; "it also follows symlinks." Jarno Huuskonen reported a similar vulnerabilty in Acrobat Reader 4.05 last week.
Xitami 2.5 Beta script injection vulnerabilities Script injection vulnerabilities were reported in Xitami 2.5 Beta from iMatix. Xitami is a high performance portable web server.
New vulnerabilities Apache mod_ssl off-by-one local code execution and DoS vulnerability
Updated vulnerabilities Apache 'chunk handling' vulnerability
Heap corruption vulnerability in at
Denial of service vulnerability in version 9 of BIND
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
GNU fileutils race condition
Buffer overflow problem in glibc
Buffer overflow in groff
UW imapd remotely exploitable buffer overflow
LPRng accepts jobs from any host.
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
Mozilla XMLHttpRequest file disclosure vulnerability
String format bug in pam_ldap logging
Privilege Separated OpenSSH 3.3
Privilege escalation vulnerability in OpenSSH 2.9.9 through 3.3
Remotely exploitable vulnerability in pine
Sharutils potential privilege escalation using uudecode
Malformed NFS packet buffer overflow vulnerability in tcpdump
Multiple vendor telnetd vulnerability
Multiple vulnerabilities in SNMP implementations
webalizer: reverse DNS buffer overflow vulnerability
Webmin/Usermin vulnerabilities
Problems with libgtop_daemon
xchat IC server based dns query vulnerability
Resources Apache and OpenSSH Vulnerabilities (Linux Journal) Linux Journal explains to Linux newbies how to deal with the latest Apache and OpenSSH security vulnerabilities. "If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check."
Linux Security Week The July 1st Linux Security Week newsletter from LinuxSecurity.com is available.
Events Registration for H2K2 New York City closes this week.
H2K2 is the next in the line of New York City hacker conferences
organized by volunteers and 2600. Panels of particular interest to this
list might include "Crypto for the Masses," "Databases and Privacy,"
"Educating Lawmakers - Is It Possible?," and "Secure Telephony."
Upcoming Security Events
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development Release status Current release status The current development kernel remains 2.5.24. Linus has not released any kernels - or surfaced on the linux-kernel mailing list - since before OLS and the Kernel Summit. Some patches are beginning to show up in his BitKeeper tree, however; they include some SCSI updates, an NTFS update, and, interestingly, a change of the internal x86 clock frequency to 1000 Hz.The current stable kernel release is still 2.4.18. No new 2.4.19 release candidates have been announced in the last week. The latest 2.5 kernel status summary from Guillaume Boissiere came out on July 3.
Kernel development news A safe SCHED_IDLE implementation A longstanding kernel feature request is a SCHED_IDLE scheduler class. Tasks running as SCHED_IDLE would only run when the processor would otherwise be idle. The "niceness" scheme in the current scheduler does not provide this behavior: even the lowest-priority processes will run sometimes. Users who want to search out encryption keys, model proteins, or search for extraterrestrial life on their systems generally want that work to not take any time from other tasks running on the system. Thus the request for SCHED_IDLE.In principle, SCHED_IDLE is not that hard to implement. The problem, of course, is the classic priority inversion trap. If a SCHED_IDLE process acquires an important shared resource, such as an internal filesystem semaphore, there is no way to know how long the process may have to wait before it can run long enough to release that resource. A SCHED_IDLE process can be preempted at any time by a higher-priority process; it could then keep needed resources unavailable indefinitely. Priority inversion problems can come up by themselves; this situation could also be brought about intentionally as a denial of service attack. So far, no solution to this problem has been implemented, so no SCHED_IDLE patch has ever been merged into the kernel. It is easier to simply ensure that every process makes a little progress occasionally so that priority inversion problems resolve themselves. Now Ingo Molnar has posted a patch which, he claims, implements SCHED_IDLE (which he calls SCHED_BATCH) in a safe way. Those who are curious are encouraged to read his posting, which describes the work in far more detail than you will find here. The fundamental observation behind Ingo's approach is that processes only hold important kernel resources, such as semaphores, when they are running in kernel mode. If a SCHED_BATCH process is preempted when running in user mode, it is safe to set that process aside indefinitely. If, instead, it is running in kernel mode, it must be allowed to finish it work within a reasonable period of time. So Ingo's patch splits the schedule() call into two variants. schedule_userspace() is called when the preempted process is running in user mode; it implements the full SCHED_BATCH semantics. schedule(), instead, is invoked when the process is in kernel mode; it will handle a SCHED_BATCH process like any other, normal process. Thus SCHED_BATCH processes essentially have their priorities raised while running in kernel mode. Raising the priority of processes that hold critical resources is a classic response to priority inversion problems. Ingo's patch takes a slightly simpler approach by treating the entire kernel as such a resource. This patch will raise the priority of SCHED_BATCH processes a bit more than is strictly necessary; the approach should be robust, however, and the difference in scheduling behavior would be difficult to measure.
A use for IDE taskfile access A number of people have complained about the removal of the IDE taskfile operations from the 2.5 version of the driver. For anybody wondering why people might want this obscure capability, consider this posting from Scott Tillman. Scott is working on the "port Linux to the XBox" effort. It turns out that the XBox IDE drive will not allow access to its sectors until a special, vendor-specific "password" command has been run. Taskfile access is needed to be able to issue that password.Of course, providing taskfile access so that this command can be issued could, with a broad reading, be seen as a violation of the DMCA's anticircumvention measures. It is a bit of a stretch, and depends on whether the special command is just seen as vendor-specific initialization, or whether it is really a "technological measure" for copyright protection. Unfortunately, a broad reading of the DMCA seems to be in vogue in the U.S. these days. The XBox team, meanwhile, has a bunch of code it has written for dealing with the XBox partition scheme and filesystem. They will port it to 2.5 if it appears that it might actually get merged. That may well happen; the fun of running Linux on Microsoft-subsidized hardware could be irresistible.
Incrementally improving the SCSI subsystem James Bottomley gave a talk at OLS on the plans for improving the SCSI subsystem. It went into more detail than the Kernel Summit presentation, and included the outcomes from the Summit discussion. Places where work will be done include:
The SCSI exception table is an in-kernel list of about 90 (in 2.4.18) SCSI devices which are known to be poorly behaved; this list only continues to grow as manufacturers make more and more stupid devices. Many of these devices misbehave if you try to access a logical unit number other than zero; others demonstrate more creative sorts of problems. In any case, this sort of constantly growing blacklist is not the kind of data structure you want to have taking up more and more kernel space. The answer here, of course, is to move this table (and its associated processing) into user space. Rather than handle SCSI device scanning in the kernel, the SCSI subsystem will just use the /sbin/hotplug mechanism and let a user space program handle the details. James likes this solution because it cleans up the SCSI code, and the hotplug code support "is Greg KH's problem." Greg's enthusiasm was rather more restrained. Tagged command queueing (TCQ) changes were discussed at the Kernel Summit as well. Each SCSI adaptor driver has its own TCQ implementation, which is not the right way to do it. So TCQ support will be done in the generic block layer code instead (James once again notes, with satisfaction, that in the block layer it's somebody else's problem). One big remaining problem is "tag starvation," where a disk ignores a request for a long time while dealing with (newer) requests that it can satisfy more quickly. Options for fixing this problem including using ordered tags (which force the completion of all previous tagged operations) or just shutting down the request queue until the neglected request gets handled. Either approach could work; the request queue throttling technique is thought to be less hard on the overall performance of the system. Write barriers are needed for journaling filesystem support; they can be implemented with ordered tags. The real problem here, as it turns out, is error handling. If a write barrier operation fails, subsequent operations could be executed out of order. Another issue is the "queue full" problem: the drive rejects the barrier operation because its command queue is full, but then accepts a command issued after the barrier. This is a sort of race condition which is difficult, if not impossible, to produce on real systems, but it is a problem which can occur. The current SCSI error handler is a "pluggable" mechanism which allows the provision of operations for a set of predefined situations. The "pluggable" interface is never been used - everybody uses the default error handlers, which are seen as being heavy-handed and insufficiently smart. The new error handler should also handle things like command cancellation - a feature required by asynchronous I/O. The new error handler should, instead, be message-oriented, allowing greater flexibility in what sorts of situations can be dealt with. It should also be stackable and available to higher levels. Volume managers and RAID, for example, want a detailed picture of exactly what sort of errors are happening so that they can respond intelligently; "bad block" requires a different response than "drive on fire," but there is currently no way for higher levels to tell the difference. In the end, much of the error handling code needs to move into, of course, the block layer. IDE drives also have errors, and higher-level code should not have to know the difference. So, happily (for James), much of it becomes somebody else's problem. Support for multipath devices, too, should be implemented in the block layer - and thus be somebody else's problem. One big issue with multipath devices is the preservation of write barriers. A command which is meant to execute after a write barrier could be sent via a different path and overtake the barrier operation. The death of the midlayer is expected to be "a slow process via starvation." The internal SCSI request structure may be replaced by the generic block level version, and much of the current SCSI functionality will migrate up to the higher levels. The end result will be a vastly thinner SCSI midlayer which has had most of its functionality moved up to the higher layers. This work, of course, will allow more common code to be shared across disk subsystems. It also means that, for example, the ide-scsi driver can be eliminated. Under the new system, it will be a straightforward task to connect the high-level SCSI code with the low-level IDE transport. This is all a big job, of course; it is not expected to be done by the 2.5 feature freeze.
Patches and updates Kernel trees
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Kernel building
Memory management
Networking
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet
Distributions Distribution News Debian News The Debian Weekly News for July 2, 2002 is out. This edition speculates that UnitedLinux will be based on the Debian distribution (since there is no other way to "include" Debian as Caldera UnitedLinux leader Ransom Love has said he wants to do). Addition topics include Java Beans for Debian People, Security Updates for Woody, and much more.Another revision of Debian 2.2 (potato) is underway. Debian GNU/Linux 2.2r7 should be available soon. Security fixes and critical bug fixes are the focus of this release. Henrique de Moraes Holschuh has published a paper that details the operation of Debian init scripts. The paper is derived from a talk that will be given at the upcoming Debconf2. Debian Project Leader Bdale Garbee announced that Mako has been delegated to help handle project donations. Also, Debian will be joining OASIS, the Organization for the Advancement of Structured Information Systems. Mark Johnson has been appointed as Debian's initial official representative to OASIS.
Mandrake Linux MandrakeSoft announced that it is cooperating with AMD to port Mandrake Linux to the forthcoming eighth-generation AMD Athlon and AMD Opteron processor-based platforms.Mandrake Linux has a new package available that provides older distributions with the same rpm macros that are available in Mandrake Linux 8.2.
Limbo: a new Red Hat Linux beta Red Hat has announced "Limbo," a new beta version of the Red Hat Linux distribution. It includes gcc 3.1, the 1.0 releases of Mozilla and OpenOffice, the "latest desktop technology," and more. "Such beta software as LIMBO is not intended for use on mission critical or production systems. Use on such systems could lead to loss of uptime, data, money, employment, or sentience."
SuSE News SuSE has announced several new products including the SuSE Linux Groupware Server, SuSE Linux eMail Server 3.1, and the SuSE Linux Pro-Office CD with StarOffice®.
Terra Soft ships Yellow Dog Linux 2.3 Terra Soft Solutions has announced the release of Yellow Dog Linux 2.3. YDL is a PowerPC distribution, of course; this release includes KDE 3, a 2.4.19 kernel (even though said kernel has not yet been released), OpenOffice 1.0, and more.
New Distributions uClibcLinux uClibcLinux is a Linux distribution based on uClibc. This source-based distribution has two main goals: - provide an easily extensible build-system - provide a repository of software compiling and running with uClibc. Initial version 0.4.5 was released June, 25, 2002.
Minor distribution updates Aurora Sparc Project The Aurora Sparc Project has released build 0.3 (Phoenix). With the exception of Anaconda, Phoenix is a complete Red Hat 7.3 based tree, including KDE3, Gnome 1.4, XFree86 4.2.0, a 2.4.18 kernel, and both gcc 2.96 and 3.1 compilers.
Bernhard's Bootable Linux CD BBLCD has released version 0.7.2 with major feature enhancements.
Engarde Secure Linux Engarde Secure Linux has released version 1.2 (Professional). "Professional features include a network gateway firewall, network address translation, secure network services, virtual Web site hosting, complete Web site development, broadband connectivity, secure Web management, built-in support and alerts, Security Control Center, network intrusion detection, host intrusion detection, monitoring of system access, protection against data loss, Guardian Digital Secure Network Service, and much more."
Two new versions of Enterprise Linux ImageStream has released two new versions of Enterprise Linux for its router customers, Enterprise Linux 3.2.3, and Enterprise Linux 4.0.0.
floppyfw floppyfw has released stable version 1.0.13 with minor feature enhancements.
LEAF (Linux Embedded Appliance Firewall) The LEAF branch WISP-Dist released version 2213. "WISP-Dist is a LEAF release/branch for wireless routers, but can be used for other purposes as well. The entire system fits in 8 MB flash/16 MB RAM. Highlights include an easy-to-use menu interface, commandline access, an Access Point mode (on selected cards), OSPF/RIPv2, bandwidth shaping, NAT, and other goodies."
Leka Rescue Floppy Leka Rescue Floppy has released stable version 0.7.0 with major feature enhancements.
Linpus Linux 8.2 Release Linpus Technologies, Inc announced the release and availability of the Linpus Linux 8.2 desktop and server operating system.
MkLinux Security Update MkLinux has released a security upgrade for recent OpenSSH vulnerabilities. This requires upgrading both OpenSSL and OpenSSH to versions 0.9.6d and 3.4p1, respectively. "Some advanced features have not been fully tested due to insufficient prior notice. This upgrade is strictly use-at-your-own risk."
PXES Linux Thin Client PXES Linux Thin Client has released version 0.5-Beta4 with major feature enhancements.
Sentry Firewall CD-ROM Sentry Firewall has released version 1.3.0-3. "OpenSSH, BIND, and Apache have been updated to fix recent bugs. The HOWTO has been updated to accomodate new project branches."
Page editor: Rebecca Sobol
Development AxKit AxKit is an Apache-based XML Application Server. The AxKit home page says: "It provides on-the-fly conversion from XML to any format, such as HTML, WAP or text using either W3C standard techniques, or flexible custom code. AxKit also uses a built-in Perl interpreter to provide some amazingly powerful techniques for XML transformation."AxKit has these features:
For more information on AxKit, see the following documents: AxKit is licensed under the Apache Software License. Two AxKit based projects are listed below under Web Site Development.
System Applications Audio Projects Ogg Traffic for Monday, July 1, 2002 The July 1, 2002 edition of Ogg Traffic is out, following a six month hiatus. Check it out for the latest Ogg Vorbis status. There is also an announcement for the new Ogg Theora VP3 video project.
Web Site Development Taglib TMTOWTDI (Perl.com) Barrie Slaymaker shows how to write Taglibs with AxKit. "As with many Perl systems, AxKit often provides multiple ways of doing things. Developers from other programming cultures may find these choices and freedom a bit bewildering at first but this (hopefully) soon gives way to the realization that the options provide power and freedom." AxKit is an XML Application Server for Apache.
CallistoCMS - AxKit CMS Goodness (use Perl) Use Perl has an announcement for a first release of the Callisto content management system from Michael Nachbaur "I haven't tried it yet, but it sounds cool, with features like WYSIWYG XML content editing, transactional site deployment to multiple servers in a farm, vhosting support, and so on."
mnoGoSearch 3.1.20 and mnoGoSearch-php-3.2.0.beta4 mnoGoSearch 3.1.20 and mnoGoSearch-php-3.2.0.beta4 have been released. The former is a security patch release, and the latter adds a few minor code changes
Web Services Are Your Web Services Working Correctly? (Linux Journal) Linux Journal shows how to use Linux, Perl and other free software to check your web services. "To help with this identification process, I started to think about an application that would periodically perform a series of checks on URLs to alert us in case of problems. I'd previously found that the perfect language for me was Perl. I'd learned it writing some little CGI scripts, and I've enough confidence with it to prefer it to other languages."
Miscellaneous Developing a Linux command-line utility (IBM developerWorks) Vasudev Ram explains the details of command-line utility writing on IBM's developerWorks. "Learn how to write Linux command-line utilities that are foolproof enough even for end users. Starting with an overview of solid command-line best practices and finishing with a comprehensive tour of a working page-selection tool, this article gives you the background you need to begin writing your own utilities."
Desktop Applications Desktop Environments KDE 3.0.2 released KDE 3.0.2 has been released. "KDE 3.0.2 primarily provides useability and stability enhancements over KDE 3.0.1, which shipped in late May 2002."
Games New on PyGame The PyGame site has an announcement for version 1.5 of the Pygame module set. "After a solid three week testing on the release candidate, the latest version is ready. Big new features for the audio modules. Sound panning for stereo effects, better control over music playback, and a new sndarray module for creating your own realtime sound effects with Numeric. A wide variety of other new features like alpha preserving blits, gamma ramp control, and saving tga images." Several new game versions are also available on the site.
Graphics Graphics programming with libtiff (IBM developerWorks) Michael Still shows how to work with libtiff for the generation of raster images on IBM's developerWorks. See part 1, which was published in March, and part 2, which was published in June.
GUI Packages FLTK 1.1.0rc4 released Version 1.1.0rc4 of FLTK, the Fast, Light ToolKit has been released.
Office Applications AbiWord Weekly News #98 Issue #98 of the AbiWord Weekly News is out. The main topic this week is the appearance of a number of new UNCONFIRMED bugs.
KC GNUe #35 Issue #35 of Kernel Cousin GNUe is available. Topics include Application Server triggers, Bayonne and GNUe Workflow, Checkboxes and button triggers in Forms, Using XML to describe database schemas, Testing the 0.3.0 releases on Microsoft Windows, Tooltips in Forms, GNUe Documentation, Foreign Key drop-down boxes, Multi-table Datasources, Head and branch in CVS, Spam on GNUe's bug-tracking e-mail gateway, Two-column drop-down boxes for foreign keys and NOLA as a free alternative to GNUe Financials.
KOffice 1.2beta2 is Out! KDE.News has an announcement for version 1.2beta2 of KOffice. "KOffice 1.2beta2 is out, sporting an impressive number of changes, with improvements all around the board including substantial filter improvements, footnotes in KWord, and templates in KSpread."
Miscellaneous KWinTV Rewrite Alpha 1 KDE.News has an announcement for the Alpha 1 release of KWinTV, a video display application for KDE. "This release is intended as a basic demonstration of the design of the application. It provides functionality in the form of support for Xv video streams, OSS mixer (/dev/video, mixer 0), and XML channel files. It most likely only works on Linux, and in fact may only work on ia32 hardware."
Bluefish 0.7 Version 0.7 of the Bluefish HTML editor has been released. Changes include numerous bug fixes, more translations, custom search and replace macro's, and memory leak fixes. A new gtk2 port is also available.
Languages and Tools Java Struts and Tiles aid component-based development (IBM developerWorks) Wellie Chao shows how to work with Java Struts and Tiles. "The Model-View-Controller (MVC) framework is a proven and convenient way to generate organized, modular applications that cleanly separate logic, style, and data. In the Java world, Struts is one of the best-known and most talked about open source embodiments of MVC. Struts contributors have recently enhanced the project's core functionality and improved the view support, incorporating the Tiles view component framework to strengthen support for component-based development, to increase reuse, and to enhance consistency."
Perl This week on Perl 6 (Perl.com) Perl.com's This week on Perl 6 is out for June 24-30, 2002. Topics include System calls/spawning new processes, Ruby iterators, Fun with the Perl 6 Grammar, The Increasingly Misnamed 'Perl5 humor' Thread, stack performance, and more.
Synopsis 5 (Perl.com) Allison Randal and Damian Conway summarize Larry Wall's Apocalypse 5 document.
PHP PHP Weekly Summary for July 1, 2002 The July 1, 2002 edition of the PHP Weekly Summary covers bugs with ZE2 $argc/$argv and Win32 snapshots, fixes for Apache 2 support, PHP and Java, Session handling with MM, and LDAP functions, and a new phpinfo() with CLI.
Python Dr. Dobb's Python-URL Dr. Dobb's Python-URL for July 1 is out, with the latest happenings from the Python community.
Daily Python-URL This week's entries on the Daily Python-URL include a EuroPython Diary, Pyzzle, the Python Database Application Programming Interface, Stackless Python for PowerPC, Wrap your mind around Python, OfflineIMAP, String manipulation and regular expressions, an interview with Jürgen Hermann, the Python Object Database, the Pymps PYthon Music Play System, and more.
Ruby Ruby Weekly News The July 1, 2002 edition of the Ruby Weekly News looks at Ruby-GetText-Package-0.3.0 and Ruby-GNOME 0.29, and features discussions on Perl vs. Ruby, Ruby on the Palm, the Gvim interface to the ruby debugger, and documentation licenses.
Tcl/Tk This week's Tcl-URL Dr. Dobb's Tcl-URL for July 1 is out; it looks at the 3rd Tcl'Europe Conference, the new ActiveTcl releases, tDOM 0.7.1, and more.
XML Cataloging XML Vocabularies (O'Reilly) Eric van der Vlist writes about XML vocabularies on O'Reilly. "I've been involved recently in many discussions and projects oriented around a simple and common question: "how do I create an XML vocabulary?" The formulation was often different -- "how do I create a namespace?" or "how do I publish an XML schema?" -- but the central issue was always about what infrastructure to create and which methods should be used to advertise the newly created vocabulary."
Simple XML Parsing with SAX and DOM (O'Reilly) Philipp K. Janert illustrates XML parsing on O'Reilly. "In this article, I would like to offer an accessible introduction to the two most widely used APIs: SAX and DOM. For each API, I will show a sample application that reads an XML document and turns it into a set of Java objects representing the data in the document, a | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||